Open in app

Sign in

Write

Sign in

npm Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

Rahul Shenoy
3 min readApr 23, 2021

--

We recently faced this issue while setting JFrog Artifactory as the default npm registry.

npm ERR! code UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! errno UNABLE_TO_VERIFY_LEAF_SIGNATURE
fy the first certificate

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\xxx\AppData\Roaming\npm-cache\_logs\debug.log

This was a common error and we could quickly find few solutions on Google which unfortunately did not work for us as expected. This post describes how the issue got resolved, it might help you too.

Disabling SSL verification

Simplest solution available online is -

$ npm config set strict-ssl false

This command allows package download without SSL validation. Therefore, even if SSL verification doesn’t go through, package is still downloaded. This works but it fails the purpose of ssl verification. We could not refer this method to our developers, we would be setting a bad precedence.

Certificates in npm

Unlike few others, npm doesn’t have a centralized certificate store for trusted certificates. However, npm provides few ways of setting trusted certificates, this post discusses the cafile approach, there are other similar approaches you can find in npm config documentation.

All the config methods write to npmrc, therefore, you may directly update .npmrc if you like.

The npm config’s cafile method allows us to set a trusted certificate to verify the SSL while downloading packages. This requires the trusted SSL certificate downloaded and available for npm to verify.

Download the certificate

First, we need to download the SSL certificate of the package registry. To download,

  • Click the lock icon in the address bar of the browser, then click on Certificate
  • On Certificate popup, switch to details tab and click Copy To File…
  • A simple wizard appears, click next and then choose PKCS #7 format, you will need all files in the ca chain, therefore check the box below too.
  • You will be able to download the certificate with the certificate chain soon after this (the wizard will ask you to choose a folder to download the cert, that’s all).

Certificate reformatting

npm accepts certs in pem format, therefore let’s convert the certificate using openssl tool. I am assuming that you downloaded the file as PKCS#7 with P7B format, if yes, this command will work for you -

$ openssl pkcs7 -in /path/to/<name>.p7b -inform DER -print_certs -out /path/to/<name>.pem

If you are on windows and haven’t installed openssl, use git bash (thank you Deepak for the trick), it includes several useful tools you may not find in Windows by default.

If you have downloaded a different format, you can find some useful conversion commands here.

Setting cafile

Next step is to let npm know about the trusted certificate you just downloaded

$ npm config set cafile /path/to/<certname>.pem

That’s all, your npm install should be working now!

Ssl Certificate
NPM
Openssl

--

--

Rahul Shenoy
Rahul Shenoy

Written by Rahul Shenoy

10 Followers
13 Following

Senior Architect - Web Technologies, Microservices and DevOps

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams